| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| ... | |
| |
|
|
|
|
| |
Oh well, here it is...
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
to extend the ADS_STATUS system to include NTSTATUS, and to provide a better
general infrustructure for his sam_ads work.
I've also added some extra failure mode DEBUG()s to parts of the code.
NOTE: The ADS_ERR_OK() macro is rather sensitive to braketing issues - without
the final set of brakets, the test is essentially inverted - causing some
intersting 'error = success' messages...
Andrew Bartlett
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
we now do this:
- look for suported SASL mechanisms on the LDAP server
- choose GSS-SPNEGO if possible
- within GSS-SPNEGO choose KRB5 if we can do a kinit
- otherwise use NTLMSSP
This change also means that we no longer rely on having a gssapi
library to do ADS.
todo:
- add TLS/SSL support over LDAP
- change to using LDAP/SSL for password change in ADS
|
| |
|
|
| |
with non-const values - strsep not defined
|
| |
|
|
| |
we get a response from WINS for a PDC, if the PDC isn't responding.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
setups.
- split up the ads structure into logical pieces. This makes it much
easier to keep things like the authentication realm and the server
realm separate (they can be different).
- allow ads callers to specify that no sasl bind should be performed
(used by "net ads info" for example)
- fix an error with handing ADS_ERROR_SYSTEM() when errno is 0
- completely rewrote the code for finding the LDAP server. Now try DNS
methods first, and try all DNS servers returned from the SRV DNS
query, sorted by closeness to our interfaces (using the same sort code
as we use in replies from WINS servers). This allows us to cope with
ADS DCs that are down, and ensures we don't pick one that is on the
other side of the country unless absolutely necessary.
- recognise dnsRecords as binary when displaying them
- cope with the realm not being configured in smb.conf (work it out
from the LDAP server)
- look at the trustDirection when looking up trusted domains and don't
include trusts that trust our domains but we don't trust
theirs.
- use LDAP to query the alternate (netbios) name for a realm, and make
sure that both and long and short forms of the name are accepted by
winbindd. Use the short form by default for listing users/groups.
- rescan the list of trusted domains every 5 minutes in case new trust
relationships are added while winbindd is running
- include transient trust relationships (ie. C trusts B, B trusts A,
so C trusts A) in winbindd.
- don't do a gratuituous node status lookup when finding an ADS DC (we
don't need it and it could fail)
- remove unused sid_to_distinguished_name function
- make sure we find the allternate name of our primary domain when
operating with a netbiosless ADS DC (using LDAP to do the lookup)
- fixed the rpc trusted domain enumeration to support up to approx
2000 trusted domains (the old limit was 3)
- use the IP for the remote_machine (%m) macro when the client doesn't
supply us with a name via a netbios session request (eg. port 445)
- if the client uses SPNEGO then use the machine name from the SPNEGO
auth packet for remote_machine (%m) macro
- add new 'net ads workgroup' command to find the netbios workgroup
name for a realm
|
| |
|
|
|
|
| |
from some of the callers.
Andrew Bartlett
|
| |
|
|
| |
very useful in scripts
|
| |
|
|
|
| |
without any 'realm =' or 'ads server =' options at all, as long as DNS
is working right.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
(and yes, some of these are real bugs)
In particular, the samr code was doing an &foo of various types, to a function
that assumed uint32. If time_t isn't 32 bits long, that broke.
They are assignment compatible however, so use that and an intermediate
variable.
Andrew Bartlett
|
| |
|
|
|
| |
same name as the machine name exists. (we ended up setting the users
password, not the machines password!)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
membership from an ADS server. We now use a 'member' query on the
group and do a separate call to convert the resulting distinguished
name to a name, rid etc. This is *much* faster for very large numbers
of groups (on a quantum test system with 10000 groups it drops the
time from an hour to about 35 seconds).
strangely enough, this actually *increases* the amount of ldap
traffic, its just that the MS LDAP server answers these queries much
faster.
|
| |
|
|
| |
a char** isn't quite the same thing as a struct berval** :)
|
| |
|
|
| |
broken
|
| |
|
|
|
|
| |
Also remove unused line which incremented pointer by the wrong length anyway.
Provided by Anthony Liguori (aliguori@us.ibm.com).
|
| | |
|
| |
|
|
| |
code
|
| |
|
|
|
| |
this fixes the huge number of struct berval warnings on non-ads
compiles
|
| |
|
|
| |
str_list_copy(). Perhaps its proto should be fixed.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Now smbclient, net, and swat use their own proto files - now the global
proto.h
The change to libads/kerberos.c was to break up the dependency on secrets.c -
we want to be able to write an ADS client that doesn't need local secrets.
I have other breakups in the works - I will remove the dependency of
rpc_parse on passdb (and therefore secrets.c) shortly.
(NOTE: This patch does *not* break up includes.h, or other such forbidden
actions).
Andrew Bartlett
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
though it is up to the calling function to decide whether values are
strings or not. Attributes are not converted at this point, though support
for it would be simple.
I have tested it with users and groups using non-ascii chars, and if the
check for alphanumeric user/domain names is removed form sesssetup.c, even
a user with accented chars can connect, or even login (via winbind).
I have also simplified the interfaces to ads_mod_*, though we will probably
want to expand this by a few functions in the near future. We just had
too many ways to do the same thing...
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
changes ...
|
| | |
|
| |
|
|
| |
libraries with handling blank passwords.
|
| |
|
|
|
|
| |
- Add doxygen comments
- remove server sort control (ms implementation was not reliable)
- rename ads_do_search_all2() to ads_do_search_all_fn()
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
- Added sort control to ads_do_paged_search. It allows a char * to be passed
as the sort key. If NULL, no sort is done.
- fixed a bug in the processing of controls (loop wasn't incremented properly)
- Added ads_do_search_all2, which funs a function that is passed in against
each entry. No ldapmessage structures are returned. Allows results to
be processed as the come in on each page.
I'd like ads_do_search_all2 to replace ads_do_search_all, but there's some
work to be done in winbindd_ads.c first.
Also, perhaps now we can do async ldap searches? Allow us to process a
page while the server retrieves the next one?
|
| |
|
|
| |
out since it's already in ads_errstr() in ads_status.c
|
| |
|
|
| |
to find and add a user.
|
| |
|
|
| |
I've got the cases besides gssapi...anyone know how to get those?
|
| |
|
|
|
|
|
|
| |
entry returned from a search, and applies it to the results. Re-structured
ads_dump to use this, plus changed the ber_free in ads_dump from (b,1) to
(b,0), in accordance with openldap manpages. Also allows proper free of
result using ldap_msgfree afterwards, so you can do something with the
results after an ads_dump.
|
| |
|
|
| |
defeats the purpose.
|
| |
|
|
|
|
| |
the scope limited to the domain at hand, and also keeps the openldap
libs happy, since they don't currently chase referrals and return
server controls properly at the same time.
|
| | |
|
| |
|
|
|
| |
to paged searches. This makes updating winbindd to used paged searches
trivial.
|
| |
|
|
|
| |
referrals parsing in the openldap libs. By disabling referrals we get
valid controls back and the cookies work.
|
| |
|
|
| |
ads_do_paged_search, is the same as ads_do_search, but it also contains a count of records returned in this page, and a cookie for resuming, to be passed back. The cookie must start off NULL, and when it returns as NULL, the search is done.
|
| |
|
|
|
|
| |
the problem is, how the heck do we properly handle these? Jerry?
It seems that the Win2000 ADS server only returns a max of 1000 records!
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
| |
<a.kotovich@sam-solutions.net> that adds the security decsriptor code
for ADS workstation accounts
thanks for your patience Cat, and thanks to Andrew Bartlett for
extensive reviews and suggestions about this code.
|
| | |
|
| |
|
|
| |
should be LDAP_MOD_REPLACE. Caught by Alexey Kotovich.
|
| | |
|
| | |
|
